The field of the invention is information systems access control, and in particular the dynamic loading of a rule in a firewall.
A firewall regulates the flow of packetized information. A packet includes a header and a payload. The header includes header parameters, such as a source address and destination address for the packet, as well as source and destination port numbers and a protocol number, flags, priority parameters, security information, etc. The payload includes the data meant to be conveyed by the packet from its source to its intended destination. A known firewall is placed between the packet""s source and intended destination, where it intercepts the packet. The known firewall filters a packet based upon the packet""s header parameters and a rule loaded into the firewall. The rule correlates a pattern in the header of a packet with a prescribed action, either PASS or DROP. The filter identifies the rule that applies to the packet based upon the packet""s header, and then implements the rule""s prescribed action. When a DROP action is performed, the packet is blocked (deleted), and does not reach its intended destination. When a PASS action is performed, the packet is passed onto ward its intended destination. The set of rules loaded into a firewall reflect a security policy, which prescribes what type of information is permissible to pass through the firewall, e.g., from which source, to which destination, for which applications, etc.
The set of rules loaded into a known firewall is static. The rules must typically be loaded with the intervention of a system administrator, and any changes to the rule set (additions, deletions, modifications) must also be implemented by the administrator. This disadvantageously limits the flexibility of the firewall to respond to changes in the security policy which it implements. Also, the firewall must disadvantageously store the entire set of rules implementing the security policy because the rules must be loaded manually. This is inefficient because it can require a large amount of memory resources, and increase the processor time needed to search for and locate a rule that applies to a given packet.
U.S. patent application Ser. No. 08/785,501, System and Method for Providing Peer-Level Access control on a Network, filed Jan. 17, 1997 now U.S. Pat. No. 6,233,686, discloses a firewall that dynamically loads a rule pertinent to the security policy of a peer when the peer is authenticated (e.g., logs on), and then deletes the rule when the peer logs off. Thus, for example, the rules pertaining to a peer are only stored at the firewall when the peer is logged on. This economically saves memory resources and reduces the search time and processor load to find a rule for a given packet. It also allows for greater flexibility because the peer rule set can be changed (e.g., by the peer) between the times it is loaded into the firewall.
Although the Peer-Level Access invention is more efficient and flexible than known firewalls, further improvements are needed in both areas. For example, while the peer""s rule set is loaded at the filter, only a small fraction of the rules may actually be implemented, depending upon the type of packets received at the firewall. The rules that are loaded but not needed during a session (e.g., the time between peer logon and log off) disadvantageously increase processor time during rule searches and absorb memory resources at the firewall unnecessarily.
In accordance with an embodiment of the present invention, a rule is loaded at a firewall when it is needed to prescribe an action with respect to a packet that is received. When the packet is received, the rules loaded at the firewall are searched for a rule that is pertinent to the received packet. If no such rule is found, then a pertinent rule is retrieved from a source external to the firewall, and loaded at the firewall. The firewall then implements the rule with respect to the packet. In one embodiment, the packet is either allowed to pass on to its intended destination, or dropped, in accordance with the action prescribed by the retrieved rule. When the rule expires (e.g., no further packets are received that correspond to the rule), the rule is deleted. This advantageously minimizes the amount of memory resources required to keep a current set of rules at the firewall. It also advantageously reduces the load on the processor at the firewall by reducing the number of rules that must be searched to find a rule that pertains to a received packet. Latency is advantageously reduced because a pertinent rule can be found more quickly when it is stored at the firewall.